0

When scripting with powershell you have to make sure your script is allowed to be run on the machine in question using a certificate. If any changes at all are made to the script, then the certificate has to be re-signed for the script to be run again; this works great until you have made changes to a script that you want to run on multiple machines.

Is it possible to use Powershell to import an updated certificate on a remote machine for a specific script?

If I change a signed script, I have to resign it or I get this error:

. : File \\server\Redirected\yy-XXXX\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 cannot
be loaded. The contents of file \\server\Redirected\yy-XXXX\My
Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 may have been tampered because the hash of the file does
not match the hash stored in the digital signature. The script will not execute on the system. Please see "get-help
about_signing" for more details..
At line:1 char:3
+ . '\\server\Redirected\yy-XXXX\My Documents\WindowsPowerShell\Microsof ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
Crypt32
  • 6,414
  • 1
  • 13
  • 32
leeand00
  • 4,807
  • 13
  • 64
  • 106
  • And of course I'm talking about my powershell profile... – leeand00 Aug 04 '16 at 16:58
  • 1
    `When scripting with powershell you have to make sure your script is allowed to be run on the machine in question using a certificate` - That's not technically true. The Execution Policy determines this. It's a given that you wouldn't have your Execution Policy set to Unrestricted or Bypass, but that can't be assumed. – joeqwerty Aug 04 '16 at 18:24
  • You just need to add your code signing cert to the TrustedPublishers store on the target machines. Is this an AD domain? Was the code signing cert issued by the domain CA? – jscott Aug 04 '16 at 19:21
  • Yes it is an AD Domain; and no I don't think it was... – leeand00 Aug 04 '16 at 19:22

1 Answers1

2

If any changes at all are made to the script, then the certificate has to be re-signed for the script to be run again

it is incorrect. If legitimate changes are made to the script, the script must be re-signed. There is no need to change the certificate, because it remains the same.

Crypt32
  • 6,414
  • 1
  • 13
  • 32
  • Define legitimate. – leeand00 Aug 04 '16 at 18:26
  • Legitimate == authorized. – Crypt32 Aug 04 '16 at 18:28
  • I get the error above when I edit the script with gvim running as my admin account; so it isn't authorized? So I have to sign it again? – leeand00 Aug 04 '16 at 19:18
  • 2
    They are not authorized until the script is re-signed. The system cannot determine whether the changes are authorized or are the result of hacking activity. You must re-sign the script. – Crypt32 Aug 04 '16 at 19:25
  • But if the Cert I signed the script with issued by our domains CA the it would work? – leeand00 Aug 04 '16 at 19:26
  • why not? Though, you have to configure your systems to trust your signing certificate: https://blogs.technet.microsoft.com/heyscriptingguy/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/ – Crypt32 Aug 04 '16 at 19:28
  • Wait, but you can't use powershell to import a certificate or a right? – leeand00 Aug 04 '16 at 19:36
  • 1
    you can, but in enterprise scale it is advisable to use GPO. – Crypt32 Aug 04 '16 at 19:38